Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Ensuring all VLANs/subnets are covered in VA & industry practices

Posted on 2016-10-06
5
Medium Priority
?
153 Views
Last Modified: 2016-11-07
Q1
As governance/compliance person, I'm often not being updated by network teams when
new VLANs / subnets are being created.  Network diagram may not be updated timely too.
What are the surest ways to check?  Get a readonly account on the core-switch & issue
a command to see all the VLANs there?  Or where is the best place/device to see all
VLANs/subnets in a corporate?

Q2
For Cisco switches/routers, is there a way to automatically configure something to obtain
output of a certain command (say 'show vlan all') & get it emailed out?  Can Tripwire or
TACACS+ do this?

Q3
For internal VA scans, what are the subnets/VLANs that are scanned?  Do they scan only
servers VLANs/zones only ie DMZ, Apps/internal, DB & management zones only (is
Management crucial)  or  users/PCs VLANs plus DR and UAT VLANs (where DR/UAT
servers sit) as well?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 

Author Comment

by:sunhux
ID: 41831520
We have both Cisco & Nexus switches/routers, so do provide the commands
0
 

Author Comment

by:sunhux
ID: 41831526
This whole thing arises from auditor: how do we ensure and show evidence
that all network segments are scanned (& he meant the relevant segments)
0
 
LVL 14

Accepted Solution

by:
SIM50 earned 2000 total points
ID: 41831794
As governance/compliance person, I'm often not being updated by network teams when new VLANs / subnets are being created.  Network diagram may not be updated timely too. What are the surest ways to check?  Get a readonly account on the core-switch & issue
a command to see all the VLANs there?  Or where is the best place/device to see all
VLANs/subnets in a corporate?

I think it would be better to look at the routing table to see if new routes were installed. Take a snapshot and then run a compare from time to time. The core switch would be the best place to look it up. I wouldn't look at the VLANs because not all of them might exist on that switch.
Edit: Forgot to mention this. It also depends on your internal routing protocol. For EIGRP, this would work no problem. For OSPF, I would get a routing table from each ASBR as the routes are usually summarized when they cross area boundaries.

For Cisco switches/routers, is there a way to automatically configure something to obtain output of a certain command (say 'show vlan all') & get it emailed out?  Can Tripwire or TACACS+ do this?

Look up Cisco Embedded Event Manager (EEM). There are applets for what you want. Might require a bit of scripting.

For internal VA scans, what are the subnets/VLANs that are scanned?  Do they scan only servers VLANs/zones only ie DMZ, Apps/internal, DB & management zones only (is
Management crucial)  or  users/PCs VLANs plus DR and UAT VLANs (where DR/UAT
servers sit) as well?

Not sure what you are asking here. Can you please elaborate? What is VA, UAT?
0
 

Author Comment

by:sunhux
ID: 41832853
VA = Vulnerability Assessment
Some VA tools are like Nessus, McAfee Vulnerability Manager

UAT = a User Acceptance Test (ie a test server)
0
 
LVL 14

Assisted Solution

by:SIM50
SIM50 earned 2000 total points
ID: 41833522
I do network security designs and implementations so systems and policies are not really my forte. From my experience though, vulnerability scanning depends on the corporate policy and the compliance standard a company falls under. Like for PCI, you should scan all devices that fall in the scope. Scanning the rest depends on the policy but usually you scan all internet facing and important servers (AD, DBs, etc) and devices.

Management VLAN should be locked down to access only from certain PCs and ideally those PC's should be scanned.

User PC's usually fall under one departmental or company management policy from AD GPOs and WSUS. You can take a sample of PCs and scan them. The results should be similar.

For DR, it depends what kind of DR. Does it have live data for hot failover? If yes then it falls under the same scanning policy as production. If it's warm DR than you need to scan storage devices with the backup data.
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question